Secure deployment of artifacts on a cloud computuing platform

ABSTRACT

The disclosure relates to deploying validated artifacts on a cloud computing system. In an embodiment, a method for deploying artifacts on the cloud computing system includes receiving a request to deploy an artifact on the cloud computing system. The request includes a unique identifier of the artifact. The method further includes retrieving an artifact signature associated with the artifact from an artifact repository using the unique identifier of the artifact; verifying the artifact using the retrieved artifact signature; and deploying the artifact in a productive environment of the cloud computing system when the artifact is successfully verified. The artifact deployed in the productive environment is accessible by one or more tenants of the cloud computing system.

The present patent document is a § 371 nationalization of PCT Application Serial No. PCT/EP2018/063760, filed May 25, 2018, designating the United States, which is hereby incorporated by reference, and this patent document also claims the benefit of European Patent Application No. 18151637.8, filed Jan. 15, 2018, which is also hereby incorporated by reference.

TECHNICAL FIELD

The present disclosure generally relates to cloud computing system including a cloud computing platform, and more particularly relates to secure deployment of artifacts on a cloud computing platform.

BACKGROUND

With the advent of cloud computing technology, a large number of devices (also known as ‘assets’) are connected to a cloud computing system via the Internet. The devices may be remotely located from the cloud computing system. For example, the devices may be equipment, sensors, actuators, robots, or machinery in an industrial set-up(s). The devices may also be medical devices and equipment in a healthcare facility. Furthermore, the devices may be home appliances or office appliances.

The cloud computing system may enable remote commissioning, configuring, monitoring, controlling, and maintaining the connected devices. Also, the cloud computing system may facilitate storing large amounts of data periodically gathered from the devices, analyzing the large amounts of data, and providing insights (e.g., Key Performance Indicators, Outliers) and alerts to operators, field engineers or owners of the devices via graphical user interface (e.g., of web applications). The insights and alerts may enable to control and maintain the devices, leading to efficient and fail-safe operation of the devices. The cloud computing system may also enable modifying parameters associated with the devices and issues control commands via the graphical user interface based on the insights and alerts.

The cloud computing system may include a plurality of servers or processors (also known as ‘cloud infrastructure’), which may be geographically distributed or co-located, connected with each other via a network. A dedicated platform (hereinafter referred to as ‘cloud computing platform’) is installed on the servers/processors for providing above functionality as a service (hereinafter referred to as ‘cloud service’). The cloud computing platform may include a plurality of software programs executed on one or more servers or processors of the cloud computing system to enable delivery of the requested service to the devices and its users (hereinafter referred to as tenants).

One or more artifacts are deployed in the cloud computing system to provide different cloud services to the tenants. The artifacts may include applications, simulation models, engineering configuration, application programming interfaces (APIs), and so on. For example, an application for monitoring operation of robots in a manufacturing facility may be deployed as an artifact. The application may be capable of analyzing the data collected from the robots over a period of time. The tenant may subscribe to a cloud service which analyzes the data associated with the robots (for which the tenant is responsible) using the application, and displays the outcome of analysis (e.g., outliers) to the tenant via a web application on the tenant device.

The cloud computing platform may enable a plurality of developers to develop, test and store the one or more artifacts in the artifact repository. Also, the cloud computing platform may facilitate providers to deploy one or more artifacts developed by the developers in the cloud computing system to deliver cloud services to one or more tenants of the cloud computing platform. However, it is possible that the artifacts deployed on the cloud computing system may be malicious and vulnerable to the cloud computing system and tenants who access these artifacts. The malicious artifacts may directly or indirectly affect operation of the devices, leading to malfunctioning of the devices and higher downtime.

In light of the above, there exists a need for secure deployment of artifacts on a cloud computing system.

SUMMARY AND DESCRIPTION

Therefore, it is the object of the present disclosure to provide a cloud computing system capable of securely deploy artifacts on the cloud computing system.

The scope of the present disclosure is defined solely by the appended claims and is not affected to any degree by the statements within this summary. The present embodiments may obviate one or more of the drawbacks or limitations in the related art.

Each artifact during the cloud computing system's lifecycle may go through development, testing, validation, deployment, provisioning, and monitoring process. The artifact may refer to a cloud application, an edge application, code snippet, hardware configuration, digital twin model, application programming interfaces (APIs), simulation software, firmware, device configuration, and so on. In some embodiments, the artifact may enable one or more tenants of a cloud computing system to access one or more cloud services provided by the cloud computing system. For example, the one or more cloud services enable the one or more tenants to efficiently commission, configure, monitor, control, and maintain an industrial plant communicatively connected to the cloud computing system.

The cloud computing system provides a cloud computing platform for developing, testing, validating, deploying, provisioning, and monitoring each artifact associated with cloud service delivered by the cloud computing system. Thus, the cloud computing system enables management of artifact during its lifecycle. This is referred as ‘Artifact Lifecycle Management’. The artifact lifecycle management on the cloud computing platform enables interaction between different stages during lifecycle of the artifact, thereby making management of artifact easy and efficient during its lifecycle.

The object of the present disclosure is achieved by a method of securely deploying artifacts on a cloud computing system. The method includes receiving a request to deploy an artifact on a cloud computing system. The request includes a unique identifier of the artifact. The method further includes retrieving an artifact signature associated with the artifact from an artifact repository using the unique identifier of the artifact. The artifact retrieved from the artifact repository is generated during validation of the artifact. Furthermore, the method includes verifying the artifact using the retrieved artifact signature. Moreover, the method includes deploying the artifact in a productive environment of the cloud computing system if the artifact is successfully verified. Consequently, the artifact deployed in the productive environment is accessible by one or more tenants of the cloud computing system.

In an embodiment, the method may include retrieving an artifact package associated with the artifact from the artifact repository. The method may include generating an artifact signature using the retrieved artifact package associated with the artifact and comparing the generated artifact signature with the artifact signature retrieved from the artifact repository. The method may include determining whether a match is found between the generated artifact signature and the retrieved artifact signature. If the generated artifact signature matches with the retrieved artifact signature, the method may include generating a trigger to deploy the artifact in the productive environment of the cloud computing system. If the generated artifact signature does not match with the retrieved artifact signature, the method may include generating a notification indicating that verification of the artifact failed.

In another embodiment, the method may include generating a unique hash key by applying a cryptographic algorithm on the artifact package. The cryptographic algorithm is a secure hashing algorithm (SHA) such as SHA-256.

In yet another embodiment, the method may include provisioning the deployed artifact to the one or more tenants. The deployed artifact may be provisioned by creating a set-up route between the deployed artifact and each of the tenants.

In further another embodiment, the method may include installing the artifact package in the productive environment using application programming interface(s) and database files.

The object of the present disclosure is also achieved by a cloud computing system includes one or more processing units, and at least one memory unit communicatively coupled to the one or more processing units. The memory unit includes an artifact lifecycle management module stored in the form of machine-readable instructions executable by the one or more processing units. The artifact lifecycle management module is configured to perform or initiate any of the method acts described above.

The object of the present disclosure is also achieved by a system including a cloud computing system described above; and a plurality of tenant devices communicatively coupled to the cloud computing system. Each of the plurality of tenant devices is capable of accessing one or more artifacts deployed on the cloud computing system.

The object of the present disclosure is also achieved by a computer program product including instructions which, when executed by the cloud computing system described above, cause the cloud computing system to carry out any of the method acts described above.

BRIEF DESCRIPTION OF THE DRAWINGS

The above-mentioned and other features of the disclosure will now be addressed with reference to the accompanying drawings. The illustrated embodiments are intended to illustrate, but not limit the disclosure.

The present disclosure is further described hereinafter with reference to illustrated embodiments shown in the accompanying drawings, in which:

FIG. 1 is a schematic representation of a cloud computing system capable of managing artifacts throughout the lifecycle, according to an embodiment.

FIG. 2 is a diagrammatic representation illustrating high level interaction between different components of an artifact lifecycle management module, according to an embodiment.

FIG. 3 is a process flowchart illustrating an exemplary method of artifact lifecycle management on the cloud computing system, according to an embodiment.

FIG. 4 is a block diagram of an artifact validation module capable of validating an artifact to be deployed in a productive environment, according to an embodiment.

FIG. 5 is a block diagram of the artifact validator capable of performing validation checks on the artifact to be deployed in the productive environment, according to an embodiment.

FIG. 6 is a process flowchart illustrating an exemplary method of performing validation of artifacts to be deployed in the productive environment, according to an embodiment.

FIG. 7 is a block diagram of the artifact deployment module capable of secure deployment of the artifact in the productive environment, according to an embodiment.

FIG. 8 is a process flowchart illustrating an exemplary method of secure deployment of the artifacts in the productive environment, according to an embodiment.

FIG. 9 is an example of a graphical user interface displaying different applications associated with a developer.

FIG. 10 is an example of a graphical user interface showing an application to be deployed in the productive environment.

FIG. 11 is an example of a graphical user interface showing status of the application provisioned to tenants.

FIG. 12 is an example of a graphical user interface showing runtime behavior of the application being monitored.

FIG. 13 is a schematic representation of the cloud computing system such as those shown in FIG. 1, according to an embodiment.

DETAILED DESCRIPTION

Various embodiments are described with reference to the drawings, wherein like reference numerals are used to refer the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for the purpose of explanation, numerous specific details are set forth in order to provide thorough understanding of one or more embodiments. It may be evident that such embodiments may be practiced without these specific details.

Throughout the specification, the terms ‘cloud computing system’ and ‘cloud system’ mean the same. Also, the terms ‘cloud computing platform’ and ‘cloud platform’ mean the same.

FIG. 1 is a schematic representation of an IoT-cloud environment 100, according to an embodiment. Particularly, FIG. 1 depicts the cloud system 102 which is capable of providing cloud services for managing an industrial plant 106 including assets 108A-N. The cloud computing system 102 is connected to assets 108A-N in the industrial plant 106 via a network 104 (e.g., Internet). The assets 108A-N may include servers, robots, switches, automation devices, motors, valves, pumps, actuators, sensors, and other industrial equipment. Although, FIG. 1 illustrates the cloud computing system connected to one Industrial plant, one skilled in the art may envision that the cloud computing system 102 may be connected to several industrial plants located at different locations via the network 104. For example, the cloud services may include commissioning the industrial plant 106, simulating the industrial plant 106, monitoring and controlling the industrial plant 106, maintaining the industrial plant 106, upgrading the industrial plant 106 and so on. The cloud services may also include managing assets in the industrial plant 106, storing and analyzing plant data received from the assets 108A-N via IoT gateway (not shown), visualizing the analyzed data to personnel associated with the industrial plant 106, downloading software/firmware onto the assets, etc.

In order to access the cloud services, one or more artifacts are required to be deployed on a cloud computing platform, which are then accessed by personnel and assets in the industrial plant 106 to avail the cloud services. Therefore, the cloud computing system 102 is provided which is capable of managing artifacts throughout its lifecycle. Exemplary artifacts may include applications (application for monitoring plant), simulation models, engineering configuration, digital twin models, code snippets, APIs, security applications, firmware, microservices, and so on.

The cloud computing system 102 is also connected to user devices 130A-N via the network 104. The user devices 130A-N may access the cloud computing system 102 for managing and/or accessing the artifacts and accessing the cloud services.

The cloud computing system 102 includes a cloud interface 110, cloud hardware and OS 112, a cloud computing platform 114, and an artifact repository 128. The cloud interface 110 enables communication between the cloud computing platform 114 and the industrial plant 106. Also, the cloud interface 110 enables communication between the cloud computing platform 114 and the user devices 130A-N.

The cloud hardware and OS 112 may include one or more servers on which an operating system is installed and including one or more processing units, one or more storage devices for storing data, and other peripherals required for providing cloud computing functionality. The cloud computing platform 114 is a platform which implements functionalities such as data storage, data analysis, data visualization, data communication on the cloud hardware and OS 112 via APIs and algorithms; and delivers the aforementioned cloud services using artifacts. The cloud computing platform 114 employs an artifact lifecycle management module 116 for managing artifacts responsible for delivering cloud services throughout its lifecycle. The cloud computing platform may include a combination of dedicated hardware and software built on top of the cloud hardware and OS 112.

The artifact lifecycle management module 116 is stored in the form of machine-readable instructions and executable by the cloud computing platform 114. The artifact lifecycle management module 116 includes an artifact development module 118, an artifact validation module 120, an artifact deployment module 122, an artifact provisioning module 124, and an artifact monitoring module 126. The artifact development module 118 is configured for generating a development environment for developing an artifact. The development environment is made accessible via a graphical user interface of the user device 130A-N using valid credentials. The artifact development module 118 is configured for generating an artifact package of the artifact using the development environment. If the artifact is an application, the artifact package may include binary code and a manifest file. Additionally, the artifact development module 118 is configured for testing the artifact package using one or more test scenarios via the development environment. The artifact development module 118 is configured to store the artifact in the artifact repository 128 for validation and deployment purposes. The artifact development module 118 is configured to receive feedback on the artifact from the artifact validation module 120, the artifact deployment module 122 and the user devices 130A-N. The artifact development module 118 is configured to process the feedback and make necessary changes to the artifact so that the artifact may be deployed and used without any issues.

The artifact validation module 120 is configured to automatically validate an artifact to be deployed on the cloud computing platform 114. The artifact deployment module 122 is configured to deploy the validated artifact in a productive environment of the cloud computing platform 114. The productive environment is a live system which makes the artifact usable by tenants. In other words, the deployed artifact is executed in the productive environment when the tenant accesses the artifact.

The artifact provisioning module 124 is configured to provision the deployed artifact to one or more tenants of the cloud computing platform 114. In other words, artifact provisioning module 124 is configured to assign the artifact to requesting tenants. When the artifact is provisioned to the artifact, the artifact is displayed on a user interface of a tenant device (e.g., the user device 130A). The tenant may access cloud services using the provisioned artifact. Alternatively, the tenant may access the artifact itself using the tenant device 130A. The tenant may be owner of assets in the industrial plant 106 who has subscribed to the artifacts deployed on the cloud computing platform 114. The tenant user associated with the tenant may be a tenant administrator of the industrial plant 106 who may assign rights to access the artifact deployed on the cloud computing platform 114 to sub-tenants (e.g., other tenant users). In the industrial plant 106, the sub-tenants may include but not limited to plant operators, field engineers, commissioning agents, IoT agents, IoT gateways, industrial assets, remote devices such as mobile, tablet, laptops and so on. The artifacts deployed on the cloud computing platform 114 may enable the tenants to commission the industrial plant 106, monitor and control the assets 108A-N in the industrial plant 106 and its operation, conduct maintenance of the industrial plants 106 and its assets 108A-N, configure an automation system in the industrial plant 106, monitor and control the automation system in the industrial plant 106 using various services provided by the cloud computing platform 114. Additionally, the artifact may enable the tenants to configure the assets 108A-N using the cloud services, onboard assets on to the cloud computing platform 114, send real-time raw plant data (e.g., operational data collected by sensors deployed in the industrial pant 106) to the cloud computing platform 114 via an IoT gateway, retrieve aggregated plant data from the cloud computing system 102, analyze the plant data or a specific condition, visualize the analyzed plant data, access digital twin models of assets, perform simulation of plant environment using digital twin models, manage IoT devices, download different versions of firmware, etc. using the cloud services provided by the cloud computing platform 114. The artifact may also be responsible for processing requests from the sub-tenants by invoking appropriate APIs and providing output to the tenants on the graphical user interface based on the execution of the APIs and its functions.

The artifact monitoring module 126 is configured to monitor behavior of the artifact deployed in the productive environment during runtime (e.g., execution of the artifact on the cloud computing platform 114), and provide feedback to the artifact development module 118, the artifact deployment module 122, and the tenants via the user devices 130A-N. Additionally, the feedback notification is sent to the artifact validation module 120 so that the artifact validation module 120 considers the feedback during validation of the modified artifact. The interaction between different modules of the artifact lifecycle management module 116 is described in greater detail below.

FIG. 2 is a diagrammatic representation illustrating high level interaction between different components of the artifact lifecycle management module 116, according to an embodiment. In an exemplary operation, the artifact development module 118 generates an artifact package (e.g., binary code with APIs, manifest files, and database files) of an artifact (e.g., software application) based on user inputs provided via an integrated development environment. The artifact development module 118 assigns a unique identifier to the artifact. Also, the artifact development module 118 performs testing of the artifact using different test scenarios and stores the artifact package in the artifact repository 128 if the artifact passes the tests.

The artifact validation module 120 monitors new artifacts being stored in the artifact repository 128. Accordingly, when a new artifact is stored, the artifact validation module 120 automatically identifies a new artifact stored in the artifact repository 128. The artifact validation module 120 determines category of the artifact stored in the artifact repository 128 from a plurality of categories using the artifact identifier and determines one or more validation checks to be performed on the artifact based on the category of artifact. For example, if the artifact is a software application, then the artifact validation module 120 performs virus scan of the binary code or artifact package during pre-check, dependency check during static screening, and check behavior of the artifact by executing the artifact in a sandbox environment 202 during dynamic screening.

The artifact validation module 120 performs validation of the artifact using the determined validation checks. The artifact validation module 120 signs the artifact using an artifact signature (e.g., hash key) and stores the artifact signature associated with the artifact in the artifact repository 128. In some embodiments, the artifact validation module signs the artifact using checksum or certificate. Also, the artifact validation module 120 sends a first notification to the artifact development module 118 indicating the artifact validation is successfully performed.

If the artifact validation is not successful, the artifact validation module 120 determines reasons for unsuccessful validation of the artifact. The artifact validation module 120 determines whether the issues in the artifact may be resolved automatically. In such case, the artifact validation module 120 performs corrective actions on the artifact using a machine learning model. The machine learning model is pre-trained to resolve issues in the artifact if the validation of the artifact is unsuccessful. The artifact validation module 120 performs a validation check(s) which was unsuccessful on the modified artifact.

If the issues cannot be resolved, then the artifact validation module 120 sends a second notification to the artifact development module 118 indicating the reasons for unsuccessful validation of the artifact. The developer may fix the issues in the artifact based on the second notification using the development environment and store the updated version of the artifact in the artifact repository 128. Accordingly, the artifact validation module 120 performs validation of new version of the artifact.

Based on the first notification, the artifact development module 118 assigns the artifact for deployment in a productive environment 204 to a provider/deployer. The artifact deployment module 122 downloads the artifact package associated with the artifact from the artifact repository 128. Also, the artifact deployment module 122 may provide APIs and other services such as database services required for deployment of the artifact on the cloud computing platform 114. The artifact deployment module 122 authenticates the artifact based on the artifact signature. If the artifact is authenticated successfully, then the artifact deployment module 122 deploys the artifact in the productive environment 204 of the cloud computing platform 114 using the artifact package, APIs, and database services. Because the artifact is deployed in the productive environment 204, the artifact may be accessed and used to perform associated functions such as commissioning, configuring, monitoring, controlling, and/or maintaining assets 108A-N in the industrial plant 106 via the cloud computing platform 114.

Accordingly, the artifact deployment module 122 may test the behavior of the artifact in the productive environment 204. If the performance of the artifact is satisfactory, the artifact deployment module 122 assigns the artifact to one or more tenants who have requested the access to the artifact. Accordingly, the artifact provisioning module 124 provisions the artifact to the requested tenants. The access to the artifact may refer to using one or more cloud services hosted on the cloud computing platform 114 by accessing the artifact deployed in the productive environment 204 via the user devices 130A-N.

The artifact monitoring module 126 monitors behavior of the artifact during runtime and reports the abnormal behavior of the artifact to the owner of the artifact, the provider of the artifact, and the tenant of the artifact. In one embodiment, the artifact deployment module 122 may temporarily suspend the execution of the artifact in case abnormal behavior is reported. In another embodiment, the artifact deployment module 122 may uninstall the artifact from the productive environment 204 in case abnormal behavior is reported. In this manner, the artifact is developed, validated, deployed, provisioned, and monitored using the cloud computing platform 114.

FIG. 3 is a process flowchart 300 illustrating an exemplary method of artifact lifecycle management on a cloud computing system, according to an embodiment. At act 302, a development environment is provided on the cloud computing platform 114. The development environment may include providing a user interface with necessary tools and software, hosted on the cloud computing platform 114, such that the development environment enables the developer to develop and test artifacts to be deployed on the cloud computing platform 114. In some embodiments, the development environment may be collaborative development environment which enables developers to develop an artifact from remote locations individually or in collaborative manner.

For example, if the artifact is a software application, then the development environment provides a user interface to generate application package (e.g., set of files related to the software application). The development environment may be created and displayed based on profile information of the developer. In some embodiments, different development environments are set up for different developers based on their profile information. Also, the development environment may be provided based on category of artifact to be developed. If the artifact to be developed is a cloud application, then the development environment suitable for generating the application may be provided. However, if the artifact to be developed is an engineering configuration, then the development environment for generating engineering configuration for an automation system is generated. The development environment is hosted on the cloud computing system 102. The development environment is sometimes referred to as ‘integrated development environment’.

At act 304, an artifact is developed using the integrated development environment. In one embodiment, the artifact is developed using artificial intelligence (AI) algorithms. In another embodiment, the artifact is developed based on inputs from the developer. At act 306, the artifact is tested in the integrated development environment using different test scenarios. At act 308, the artifact is stored in the artifact repository 128. For example, the artifact package including binary code, manifest files, database files, and associated APIs is stored in the artifact repository 128. The artifact is also assigned a unique identifier so that the artifact may be searched and retrieved from the artifact repository 128 from time to time. Also, the unique identifier helps in tracking the artifact during its lifecycle. The artifact is also assigned a version number which would help in managing artifacts based on versions.

At act 310, validation is performed on the artifact. For example, one or more validation checks are performed on the artifacts. If the validation checks are successful, the artifact is signed using an artifact signature (e.g., hash key). The artifact signature associated with the artifact is stored in the artifact repository 128. At act 312, it is determined whether the validation performed on the artifact is successful. If the validation is not successful, feedback is provided to the developer indicating the validation checks which have failed and reasons for failure. The developer may fix the issues in the artifact and store the modified artifact in the artifact repository 128. The validation checks are performed again, when the modified artifact is automatically determined in the artifact repository 128. If the validation is not successful, then the artifact may be automatically modified based on corrective actions. The corrective actions are automatically computed based on machine learning techniques (e.g., AI models) and so on. Then, the validation checks are performed on the modified artifact. In some embodiments, the cloud computing platform 114 selectively performs the validation checks which the artifact failed previously. This would save time and resources in validating the artifact.

If the validation of the artifact is successful, then at act 314, the artifact is authenticated and deployed in a productive environment (e.g., the productive environment 204). In some embodiments, if the validation of the artifact is successful, then the artifact is assigned to an appropriate provider/deployer by the developer. Accordingly, the artifact is displayed in a graphical user interface (e.g., web interface) of the concerned provider/deployer. Thereafter, the provider initiates deployment process. Alternatively, the artifact may be automatically deployed in the productive environment 204 of the cloud computing platform 114 once the validation of the artifact is successful.

At act 316, the artifact is provisioned to one or more tenants of the cloud computing platform 114. In some embodiments, the artifact provisioning module 124 establishes a set-up route between the artifact in the productive environment 204 and profile of the tenants. This enables the authorized tenants to view, access, and use the artifact and its functionality via the cloud computing platform 114. At act 318, the artifact deployed on the cloud computing platform 114 is monitored in real-time. For example, the artifact is monitored for malicious behavior, performance, suspicious activity, high resource consumption, and so on. At act 320, it is determined whether the operation of the artifact is normal. If it is determined that the operation of the artifact is not normal, then at act 322, the execution of the artifact on the cloud computing platform 114 is suspended temporarily or un-deployed from the productive environment 204 based on the nature of the issue. Accordingly, a feedback notification indicating abnormal behavior of the artifact is provided to the developer of the artifact, the tenant of the cloud computing platform 114, and the provider of the artifact. Additionally, the feedback notification is provided to the artifact validation module 120 so that the artifact validation module 120 considers the feedback during validation of the modified artifact. The developer may modify the artifact based on the feedback notification. The artifact may be revalidated and/or re-deployed in the productive environment 204. Then, the modified artifact is provisioned to the tenants. If no abnormal behavior is found during monitoring activity, then execution of the artifact is continued uninterruptedly.

FIG. 4 is a block diagram of the artifact validation module 120 capable of validating the artifact to be deployed in the productive environment 204, according to an embodiment. The artifact validation module 120 includes an artifact detection module 402, an artifact validator 404, a reporting module 406, and a feedback module 408.

The artifact detection module 402 is configured for automatically detecting storing of a new artifact by the artifact development module 118 in the artifact repository 128. For example, the artifact detection module 402 may monitor a repository file to determine the new artifacts stored in the artifact repository 128. Alternatively, the artifact detection module 402 may receive a trigger from the artifact repository 128 when uploading of the new artifact in the artifact repository 128 is complete.

The artifact validator 404 is configured for performing a plurality of validation checks on the artifact to identify issues in the artifact prior to deployment. In one embodiment, a pre-check (e.g., first validation check), static screening (e.g., a second validation check), and dynamic screening (e.g., third validation check) may be performed on the artifact. The artifact validator 404 is also configured to sign the artifact using an artifact signature if the artifact passes all the validation checks. The reporting module 406 is configured for generating a first notification indicating that the artifact has passed the validation process.

The feedback module 408 is configured for determining which of the validation checks were unsuccessful. The feedback module 408 is configured for determining reason responsible for unsuccessful validation checks. Also, the feedback module 408 is configured for automatically resolving issues by performing corrective actions computed using machine learning techniques (e.g., trained artificial intelligence models). Furthermore, the feedback module 408 is configured for generating a second notification indicating that the artifact failed validation check(s) and reasons for such failure. The feedback module 408 is configured for sending the second notification to the artifact development module 118.

FIG. 5 is a block diagram of the artifact validator 404 capable of performing validation checks on the artifact to be deployed in the productive environment 204, according to an embodiment. The artifact validator 404 includes a pre-check module 502, a static screening module 504, a dynamic screening module 506, and an artifact signing module 508.

The pre-check module 502 is configured to perform pre-check on an artifact package of the artifact. The pre-check is performed on the artifact in order to identify obvious defects in artifacts. For example, the pre-check module 502 may perform virus and malicious code scan on the artifact package, check icon of artifact for compliance, determine adherence of artifact to standards, perform syntax and semantics checks, etc.

The static screening module 504 is configured to perform static screening of the artifact. For example, the static screening module 504 performs dependency checks, insecure credential analysis, indicator carving analysis, application asset carving and clearing, etc. The static screening module 504 may crawl for dependencies and identify vulnerabilities in the dependencies. The static screening module 504 may crawl for hardcoded certificates, private keys, usernames, password etc. and identify insecure credentials associated with the artifact. The static screening module 504 may crawl for hardcoded URLs, IP addresses, domains/checks against threat intelligence database. The static screening module 504 may crawl for embedded files (e.g., images, stylesheets, scripts, documents) and check against anti-virus engines and threat intelligence database.

The dynamic screening module 506 is configured to perform dynamic screening on the artifact. In one embodiment, the dynamic screening module 506 is configured to test the behavior of the artifact in runtime environment by executing the artifact in the sandbox environment 202. In this embodiment, the dynamic screening module 506 is configured to determine whether the artifact behavior is acceptable when deployed on the cloud computing platform 114. For example, the dynamic screening module 506 may check for Open Web Application Security Project (OWASP) web-application vulnerabilities, data exfiltration, insecure data storage, API conformance, robustness, performance, user interface/experience, deployment issues, etc.

The artifact signing module 508 is configured to sign the artifact with an artifact signature. The artifact may be signed using a checksum or certificate. In one embodiment, the artifact signing module 508 applies SHA-256 to the artifact files and generates a hash key for the artifact. An exemplary hash key for an artifact is given below:

-   -   0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

The artifact signing module 508 stores the artifact signature of the signed artifact in the artifact repository 128.

FIG. 6 is a process flowchart 600 illustrating an exemplary method of performing validation of artifacts to be deployed in the productive environment 204, according to an embodiment. At act 602, an event associated with an artifact in the artifact repository 128 is automatically determined. For example, the event may be act of storing the artifact package in the artifact repository 128 by the artifact development module 118. In such case, the artifact to be deployed in the productive environment 204 is identified from the artifact repository 128. Alternatively, the event may be act of updating the artifact package stored in the artifact repository 128. If there are several artifacts waiting for validation, the newly determined artifact is added to the queue. If the multiple artifacts are uploaded simultaneously, the artifacts are added to the respective queue based on the determined category of the artifact. For example, several queues of artifacts may be maintained; each queue contains artifacts of a specific category.

At act 604, a pre-check of the artifact files is performed to determine obvious defects in the artifact. At act 606, it is determined whether pre-check performed on the artifact is successful. If the artifact fails the pre-check, then at act 608, a feedback indicating that the artifact failed one of the validation checks is sent to owner of the artifact (e.g., the developer). Alternatively, the artifact is modified according to pre-defined corrective actions and the pre-check of the modified artifact is performed. In some embodiments, the pre-defined corrective actions are determined using machine learning techniques. If the artifact passes the pre-check, then at act 610, a static screening of the artifact files is performed. For example, the static screening of the artifact includes dependency checks, insecure credential analysis, indicator carving analysis, application asset carving and clearing, etc.

At act 612, it is determined whether the static screening performed on the artifact is successful. If the artifact fails static screening, then at act 608, a feedback indicating that the artifact failed one of the validation checks is sent to owner of the artifact (e.g., the developer). Alternatively, the artifact is modified according to pre-defined corrective actions and the static screening of the modified artifact is performed. In some embodiments, the pre-defined corrective actions are determined using machine learning techniques. If the artifact passes the static screening, then at act 614, a dynamic screening of the artifact files is performed. In one embodiment, dynamic screening of the artifact involves executing the artifact in a sandbox environment 202 to test behavior of the artifact during runtime. In this embodiment, it is determined whether behavior of the artifact is within the acceptable standard when deployed on the cloud computing platform 114.

At act 616, it is determined whether the dynamic screening performed on the artifact is successful. If the artifact fails dynamic screening, then at act 608, a feedback indicating that the artifact failed one of the validation checks is sent to owner of the artifact (e.g., the developer). Alternatively, the artifact is modified according to pre-defined corrective actions and the static screening of the modified artifact is performed. In some embodiments, the pre-defined corrective actions are determined using machine learning techniques.

If the dynamic screening of the artifact is successful, then at act 618, an artifact signature for the artifact is generated using the artifact files. For example, a hash key is generated by applying SHA-256 algorithm on the artifact files. At act 620, the artifact is signed using the artifact signature. That is, the artifact signature is linked to identifier associated with the artifact. At act 622, the artifact signature assigned to the artifact is stored in the artifact repository 128. Also, a notification indicating that the artifact is successfully validated is sent to the artifact developer module 118. It may be noted that the pre-check, static screening, and dynamic screening of the artifact may be performed in parallel. This would save time required for validating the artifact. It may be noted that there may be more validation checks in addition to pre-check, static screening, and dynamic screening of artifacts. Also, the type of validation checks performed in each of pre-check, static screening and dynamic screening may vary based on category of artifact and validation requirements for deploying the artifact on the cloud computing platform 114.

FIG. 7 is a block diagram of the artifact deployment module 122 capable of secure deployment of the artifact in the productive environment 204, according to an embodiment. The artifact deployment module 122 includes an authentication module 702, a deployment module 704, and a notification module 706.

The authentication module 702 is configured to authenticate the artifact requested to be deployed in the productive environment 204 based on the artifact signature. In one embodiment, the authentication module 702 re-generates unique hash key by applying secure hashing algorithm (e.g., SHA-256) on the artifact files. The authentication module 702 compares the re-generated hash key with the hash key associated with the artifact stored in the artifact repository 128. The authentication module 702 determines whether both the hash keys match. The authentication module 702 triggers an event to deploy the artifact if the both hash keys match.

The deployment module 704 is configured to deploy the artifact in the productive environment 204 based on the event triggered by the authentication module 702. The deployment module 704 is configured to provide necessary APIs and database services for deploying the artifact in the productive environment 204.

The notification module 706 is configured to notify the owner/deployer of the artifact in case the authentication fails. The notification module 706 is also configured to notify the provider/deployer in case the artifact is successfully deployed in the productive environment 204.

FIG. 8 is a process flowchart 800 illustrating an exemplary method of secure deployment of the artifacts in the productive environment 204 of the cloud computing platform 114, according to the embodiment. At act 802, a request to deploy the artifact on the cloud platform 114 is received. In one embodiment, the artifact may be assigned to a specific provider/deployer for deployment in the productive environment 204 either automatically or by the owner of the artifact upon successful validation of the artifact. The assignment of the artifact is sent as a request to deploy the artifact on the cloud computing platform 114. Alternatively, the provider/deployer may search for a desired artifact in the artifact repository 128 using an artifact identifier/name. The provider/deployer may send a request to the artifact deployment module 124 to deploy the artifact.

At act 804, signature is re-generated using artifact files associated with the artifact to be deployed on the cloud computing platform 114. For example, a hash key is re-generated by applying SHA-256 algorithm on the artifact files. At act 806, the artifact signature associated with the artifact is retrieved from the artifact repository 128. At act 808, it is determined whether the artifact signature matches with the re-generated artifact signature. If no match is found, then at act 810, a notification is generated indicating that the artifact is not genuine. Accordingly, the request to deploy the artifact on the cloud computing platform 114 is rejected.

If match is found, at act 812, the artifact package associated with the artifact and associated files (e.g., APIs, database files, etc.) are retrieved from the artifact repository 128. At act 816, the artifact is deployed in the productive environment 204 of the cloud platform 114. At act 818, the artifact is provisioned to one or more tenants of the cloud platform 114. For example, the artifact is assigned to the tenants so that the tenants may use the artifact deployed in the productive environment 204. The artifact is assigned to tenants who have subscribed to the artifact. In addition, the tenants may assign the artifact to sub-tenants so that sub-tenants may access the artifact.

FIG. 9 is a graphical user interface 900 displaying different artifacts associated with a developer. In FIG. 9, the graphical user interface 900 displays a dashboard 902 associated with a developer. The developer may access the dashboard 902 by signing-in to a development environment provided by the cloud computing platform 114. The dashboard 902 displays a grid layout of different applications 904A-H created by a developer (e.g., Jonathan Doe). The dashboard 902 displays icon of the applications 904A-H, state of the applications 904A-H (e.g., validation failed, validation successful, not validated, deployed, provisioned, in development, testing, registered, uploaded, etc.), and version number associated with the applications 904A-H. The dashboard 902 enables the developer to create a new application using ‘create new application’ link 906 or a new version of the artifact using ‘create new version’ link 908. The dashboard 902 allows the developer to search of specific applications from the plurality of application 904A-H using a search bar 910.

FIG. 10 is a graphical user interface 1000 showing an application to be deployed in the productive environment 204. In FIG. 10, the graphical user interface 1000 depicts details 1002 of an application (e.g., Robot Control) ready for deployment in the productive environment 204. The details of the application are displayed in the graphical user interface 1000 of a provider based on assignment of the application by a developer upon successful validation of the application. The graphical user interface 1000 displays APIs 1004 required for deployment of the application on a live system (e.g., the productive environment 204). The graphical user interface 1000 provides a deploy button 1006 which enables the provider/deployer to trigger deployment of the application in the productive environment 204. Also, the graphical user interface 1000 provides a download button 1008 which enables the provider/deployer to download an application package (e.g., binary code, APIs, manifest files) of the application.

FIG. 11 is a graphical user interface 1100 showing status of an application provisioned to tenants. In FIG. 11, the graphical user interface 1100 displays details of the application (e.g., Robot Control) provisioned to the tenants 1104. For example, the graphical user interface 1100 displays name of the application as ‘Robot Control’, a version of the application as ‘v1.1’, a unique identifier of the application as ‘290897’, and a developer identifier as ‘IDDevABC’. Also, the graphical user interface 1100 displays health status 1106 of the application. For example, the health status 1106 of the application ‘Robot Control’ is displayed as ‘Running’. The graphical user interface 1100 displays provisioning status 1108 of the application. For example, the provisioning status 1106 of the application ‘Robot Control’ is displayed as ‘Published’. Also, the graphical user interface 1100 displays status 1110 of the application with respect to each of the tenants 1 to 9 in the tenant list 1104, who have subscribed to the application. For example, the graphical user interface 1100 displays status 1110 of the application ‘Robot Control’ with respect to the tenant 1 as ‘active’. Similarly, the graphical user interface 1100 displays status 1110 of the application ‘Robot Control’ with respect to the tenant 3 as ‘activation requested’. That is, the tenant 3 has requested the provider to activate the application ‘Robot Control’.

FIG. 12 is a graphical user interface 1200 showing runtime behavior of applications being monitored. In FIG. 12, the graphical user interface 1200 displays real time status of the provisioned application (e.g., Robot Control) which is monitored by the artifact monitoring module 126 in real time. The real time status indicates health status of the application, traffic data, usage data, trend comparison, subscription information, etc. The graphical user interface 1200 may also display abnormal behavior of the application if detected during monitoring of the application.

FIG. 13 is a schematic representation of the cloud computing system 102 such as those shown in FIG. 1, according to an embodiment. The cloud computing system 102 includes processing units 1302, a memory unit 1304, a storage unit 1306, a communication interface 1308, and the cloud interface 110.

The processing units 1302 may be one or more processor (e.g., servers). The processing units 1302 is capable of executing machine-readable instructions stored on a computer-readable storage medium such as the memory unit 1304 for performing one or more functionalities described in the foregoing description including but not limited to delivering cloud services to authorized tenants, and managing artifacts during its lifecycle. The memory unit 1304 includes the cloud computing platform 114 stored in the form of machine-readable instructions and executable by the processing units 1302. Alternatively, the cloud computing platform 114 may take a form of hardware such as a processor with embedded software. The cloud computing platform includes the artifact lifecycle management module 116.

The storage unit 1306 may be volatile or non-volatile storage. In the embodiment, the storage unit 1306 is includes the artifact repository 128 for storing artifact packages and artifact signatures. The storage unit 1306 may also store raw or aggregated data received from the industrial plant 106. The communication interface 1308 acts as an interconnect device or system between different components of the cloud computing system 102. The communication interface 1108 may enable communication between the processing units 1302, the memory unit 1304, and the storage units 1106. The processing units 1302, the memory unit 1304, and the storage unit 1306 may be located in same location or at different locations remote from the industrial plant 106.

The cloud interface 110 is configured to establish and maintain communication links with the industrial plant 106. Also, the cloud interface 110 is configured to maintain a communication channel between the cloud computing system 102 and the user devices 130A-N.

In various embodiments, the cloud computing system 102 is configured to securely deploy artifacts in a productive environment so that non-authentic artifacts are not deployed in the productive environment. The cloud computing system 102 provides that assets or their operation is not affected by the artifacts deployed in the productive environment. This is achieved by verifying artifact signature (e.g., unique hash key) of each artifact. This helps in identifying authenticity of the artifacts prior to deploying in the productive environment. The secure deployment of the artifacts makes the productive environment of the cloud computing system free from security risks which is very important for smooth operation of an industrial plant.

The present disclosure may take a form of a computer program product including program modules accessible from computer-usable or computer-readable medium storing program code for use by or in connection with one or more computers, processors, or instruction execution system. For the purpose of this description, a computer-usable or computer-readable medium may be any apparatus that may contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The medium may be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation mediums in and of themselves as signal carriers are not included in the definition of physical computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, random access memory (RAM), a read only memory (ROM), a rigid magnetic disk and optical disk such as compact disk read-only memory (CD-ROM), compact disk read/write, and DVD. Both processors and program code for implementing each aspect of the technology may be centralized or distributed (or a combination thereof) as known to those skilled in the art.

It is to be understood that the elements and features recited in the appended claims may be combined in different ways to produce new claims that likewise fall within the scope of the present disclosure. Thus, whereas the dependent claims appended below depend from only a single independent or dependent claim, it is to be understood that these dependent claims may, alternatively, be made to depend in the alternative from any preceding or following claim, whether independent or dependent, and that such new combinations are to be understood as forming a part of the present specification.

While the present disclosure has been described above by reference to various embodiments, it may be understood that many changes and modifications may be made to the described embodiments. It is therefore intended that the foregoing description be regarded as illustrative rather than limiting, and that it be understood that all equivalents and/or combinations of embodiments are intended to be included in this description. 

1. A method of securely deploying artifacts on a cloud computing system, the method comprising: receiving a request to deploy an artifact on the cloud computing system, wherein the request comprises a unique identifier of the artifact; retrieving an artifact signature associated with the artifact from an artifact repository using the unique identifier of the artifact; re-generating the artifact signature of the artifact using artifact package files; verifying the artifact based on a match of the re-generated artifact signature with the retrieved artifact signature; and deploying the artifact in a productive environment of the cloud computing system when the artifact is successfully verified, wherein the artifact deployed in the productive environment is accessible by one or more tenants of the cloud computing system.
 2. The method of claim 1, wherein the verifying of the artifact comprises: retrieving an artifact package associated with the artifact from the artifact repository; re-generating the artifact signature using artifact files associated with the artifact to be deployed on the cloud computing system, wherein the re-generating is performed before the retrieving of the artifact signature associated with the artifact from the artifact repository; comparing the re-generated artifact signature with the artifact signature retrieved from the artifact repository; determining whether the match is found between the re-generated artifact signature and the retrieved artifact signature; retrieving the artifact package associated with the artifact and associated files from the artifact repository and generating a trigger to deploy the artifact in the productive environment of the cloud computing system when the re-generated artifact signature matches the retrieved artifact signature; and generating a notification indicating that verification of the artifact failed when the re-generated artifact signature does not match with the retrieved artifact signature.
 3. The method of claim 2, wherein the re-generating of the artifact signature using the artifact package associated with the artifact comprises: generating a unique hash key by applying a cryptographic algorithm on the artifact package.
 4. The method of claim 3, wherein the cryptographic algorithm is a secure hashing algorithm (SHA).
 5. The method of claim 1, further comprising: provisioning the deployed artifact to the one or more tenants by assigning the artifact to one or more requesting tenants.
 6. The method of claim 5, wherein the provisioning of the deployed artifact to the one or more tenants comprises: creating a set-up route between the deployed artifact and the tenants to enable the one or more tenants to view, access, and use the artifact and functionality of the artifact via the cloud computing system.
 7. The method of claim 1, wherein the deploying of the artifact in the productive environment of the cloud computing system comprises: installing the artifact package in the productive environment using at least one application programming interface and database files.
 8. The method of claim 1, wherein the artifact signature retrieved from the artifact repository is generated during validation of the artifact.
 9. A cloud computing system comprising: one or more processing units; and at least one memory unit communicatively coupled to the one or more processing units, wherein the at least one memory unit, with the one or more processing units, is configured to: receive a request to deploy an artifact on the cloud computing system, wherein the request comprises a unique identifier of the artifact; retrieve an artifact signature associated with the artifact from an artifact repository using the unique identifier of the artifact; re-generate the artifact signature of the artifact using artifact package files; verify the artifact based on a match of the re-generated artifact signature with the retrieved artifact signature; and deploy the artifact in a productive environment of the cloud computing system when the artifact is successfully verified, wherein the artifact deployed in the productive environment is accessible by one or more tenants of the cloud computing system. 10.-11. (canceled)
 12. The cloud computing system of claim 9, wherein the verification of the artifact comprises: retrieval of an artifact package associated with the artifact from the artifact repository; re-generation of the artifact signature using artifact files associated with the artifact to be deployed on the cloud computing system, wherein the re-generation is performed before the retrieving of the artifact signature associated with the artifact from the artifact repository; a comparison of the re-generated artifact signature with the artifact signature retrieved from the artifact repository; a determination of whether the match is found between the re-generated artifact signature and the retrieved artifact signature; retrieval of the artifact package associated with the artifact and associated files from the artifact repository and generating a trigger to deploy the artifact in the productive environment of the cloud computing system when the re-generated artifact signature matches the retrieved artifact signature; and generation of a notification indicating that verification of the artifact failed when the re-generated artifact signature does not match with the retrieved artifact signature.
 13. The cloud computing system of claim 12, wherein the deployment of the artifact in the productive environment of the cloud computing system comprises: installation of the artifact package in the productive environment using at least one application programming interface and database files.
 14. The cloud computing system of claim 12, wherein the re-generation of the artifact signature using the artifact package associated with the artifact comprises: generation of a unique hash key by applying a cryptographic algorithm on the artifact package.
 15. The cloud computing system of claim 14, wherein the cryptographic algorithm is a secure hashing algorithm (SHA).
 16. The cloud computing system of claim 14, wherein the deployment of the artifact in the productive environment of the cloud computing system comprises: installation of the artifact package in the productive environment using at least one application programming interface and database files.
 17. The cloud computing system of claim 9, wherein the at least one memory unit, with the one or more processing units, is further configured to: provision the deployed artifact to the one or more tenants by assigning the artifact to one or more requesting tenants.
 18. The cloud computing system of claim 17, wherein the provisioning of the deployed artifact to the one or more tenants comprises: creation of a set-up route between the deployed artifact and the tenants to enable the one or more tenants to view, access, and use the artifact and functionality of the artifact via the cloud computing system.
 19. The cloud computing system of claim 9, wherein the deployment of the artifact in the productive environment of the cloud computing system comprises: installation of the artifact package in the productive environment using at least one application programming interface and database files.
 20. The cloud computing system of claim 9, wherein the artifact signature retrieved from the artifact repository is generated during validation of the artifact.
 21. The method of claim 2, wherein the deploying of the artifact in the productive environment of the cloud computing system comprises: installing the artifact package in the productive environment using at least one application programming interface and database files.
 22. The method of claim 3, wherein the deploying of the artifact in the productive environment of the cloud computing system comprises: installing the artifact package in the productive environment using at least one application programming interface and database files. 